https://github.com/agentrhq/authsome
Local credential vault for AI agents. Log in once via Oauth2 or API Key. Every agent stays authenticated — headless, no SaaS, agents never see your credentials.
https://github.com/agentrhq/authsome
agent-identity agent-security ai-agents api-keys authentication claude-code cli credential-manager developer-tools headless hermes-agent llm local-first mcp oauth2 openclaw python secrets-management security-tools vault
Last synced: 4 days ago
JSON representation
Local credential vault for AI agents. Log in once via Oauth2 or API Key. Every agent stays authenticated — headless, no SaaS, agents never see your credentials.
- Host: GitHub
- URL: https://github.com/agentrhq/authsome
- Owner: agentrhq
- License: mit
- Created: 2026-04-16T11:55:49.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-05-26T11:20:36.000Z (6 days ago)
- Last Synced: 2026-05-26T12:31:29.694Z (6 days ago)
- Topics: agent-identity, agent-security, ai-agents, api-keys, authentication, claude-code, cli, credential-manager, developer-tools, headless, hermes-agent, llm, local-first, mcp, oauth2, openclaw, python, secrets-management, security-tools, vault
- Language: Python
- Homepage: https://authsome.ai/docs
- Size: 6.39 MB
- Stars: 36
- Watchers: 0
- Forks: 7
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Agents: AGENTS.md
Awesome Lists containing this project
- awesome-agent-runtime-security - authsome - store, token-refresh | Local credential layer for AI agents: log in once via OAuth2 or API key, authsome keeps tokens fresh (auto-refresh, expiry handling) across scripts, cron, CI, and parallel pipelines. Single encrypted store for all providers; agents call it at runtime instead of reading env vars. | (Secrets Management & Isolation)
README
Local-first credential broker and vault for AI Agents
Docs ·
Website ·
Discord ·
Issues
---
An open-source credential broker that sits between your agents and the services they call. Instead of sharing credentials with every agent, log in once via OAuth2 or API keys. Authsome stores credentials securely and injects them via an HTTP proxy. You get one place to manage access, rotate keys, and see what every agent is doing.
**45 bundled providers** out of the box: 14 OAuth2 and 31 API key. [See the full list](https://authsome.ai/docs/reference/bundled-providers).
---
## Demo
https://github.com/user-attachments/assets/27f9b229-baf4-4889-be9a-378a133654dc
---
## Why Agents Need Authsome
Agents run beyond interactive sessions. They live in CI, over SSH, in cron jobs, in background workers, and in parallel pipelines. They need API access that survives without a human in the loop.
Hardcoded environment tokens leak or go stale, and building auth flow logic, token storage, refresh handling, and per-provider config into every project rebuilds the same plumbing every time.
Authsome is the local credential layer agents call at runtime.
- **No credential sprawl.** One encrypted store. Every provider, every agent, one place.
- **No SaaS, no privacy trade-off.** Credentials never leave your machine. Eliminates credential exfiltration risks as agents never see them.
- **No browser required at runtime.** Setup can use browser PKCE, device code, or a browser bridge for secure API key entry. After that, agents run headlessly.
---
## How It Works
The CLI is the agent's interface: setup once, then inject fresh credentials whenever a tool runs.
Authenticate once:
```bash
authsome login github
# This opens a browser on user's machine
# user completes login without sharing the creds with the agent.
```
Then agents get valid credentials on demand when they try to access external services.
All they need to do is use `authsome run --` before the command they want to run:
```bash
authsome run -- curl -s "https://api.github.com/user/repos?per_page=10"
# runs behind a local auth proxy that injects headers at request time
# without exposing secrets in the child process environment.
# matched automatically via provider api_url (e.g. api.openai.com)
```
Credentials are stored locally, encrypted at rest, and refreshed before expiry. No server. No account. No cloud.
---
## Why Authsome
| | authsome | Hardcoded env tokens | DIY |
|--|:--------:|:--------------------:|:---:|
| Automatic token refresh | ✅ | ❌ | build it |
| OAuth2 + API keys | ✅ | ❌ | build it |
| Runtime headless use | ✅ | ✅ | varies |
| Local, no SaaS dependency | ✅ | ✅ | ✅ |
| Built-in providers, zero config | ✅ | ❌ | ❌ |
| Multi-account per provider | ✅ | ❌ | build it |
Authsome gives agents one command for a valid token, without scattering long-lived secrets across every project.
---
## Install
Requires Python 3.13+.
```bash
uv tool install authsome
```
## Quick Start
Add the authsome skill to your agent (claude, codex, cursor, hermes, etc.):
```bash
npx skills add agentrhq/authsome
```
And try a sample task that requires access to external services:
```
Star the repo agentrhq/authsome
```
```
Get my last 5 emails from gmail
```
```
Check my stripe balance
```
The agent will use authsome to login into external services and perform the task.
## Agent Integrations
Authsome ships with adapters for the most common agent frameworks and CLIs:
- [Claude Code](https://authsome.ai/docs/integrations/agents/claude-code)
- [Codex](https://authsome.ai/docs/integrations/agents/codex)
- [Cursor](https://authsome.ai/docs/integrations/agents/cursor)
- [OpenCode](https://authsome.ai/docs/integrations/agents/opencode)
- [LangChain](https://authsome.ai/docs/integrations/agents/langchain)
- [LlamaIndex](https://authsome.ai/docs/integrations/agents/llamaindex)
- [OpenAI Agents SDK](https://authsome.ai/docs/integrations/agents/openai-agents-sdk)
- [Anthropic SDK](https://authsome.ai/docs/integrations/agents/anthropic-sdk)
Full list at [authsome.ai/docs/integrations](https://authsome.ai/docs/integrations/agents/index).
## Docs
Full documentation lives at **[authsome.ai/docs](https://authsome.ai/docs)**.
- [Quickstart](https://authsome.ai/docs/quickstart)
- [CLI reference](https://authsome.ai/docs/reference/cli)
- [Architecture](https://authsome.ai/docs/concepts/architecture)
- [Custom providers](https://authsome.ai/docs/guides/custom-providers)
- [Troubleshooting](https://authsome.ai/docs/troubleshooting/doctor)
To preview the docs site locally:
```bash
cd docs/site
npm i -g mint # requires Node.js >= 20.17.0
mint dev
```
## Telemetry
Authsome's daemon can emit product analytics through PostHog. You can disable telemetry with any of these environment variables:
- `DO_NOT_TRACK=1` disables analytics using the standard opt-out convention.
- `POSTHOG_DISABLED=1` disables analytics using PostHog's recommended kill switch.
- `AUTHSOME_ANALYTICS=0` disables analytics with an Authsome-specific override.
## Community
- **[Discord](https://discord.gg/9YP2C9tvMp)** for questions, help, and showing what you're building.
- **[GitHub Issues](https://github.com/agentrhq/authsome/issues)** for bugs and feature requests.
## Security
Authsome is a credential tool. If you find a vulnerability, please do **not** open a public GitHub issue.
See the [responsible disclosure policy](https://authsome.ai/docs/security/disclosure) for how to report it privately.
## Roadmap
See [authsome.ai/docs/roadmap](https://authsome.ai/docs/roadmap) for what's shipped, what's next, and what's out of scope.
## Contributing
- **Found a bug?** [Open an issue](https://github.com/agentrhq/authsome/issues/new?template=bug_report.md)
- **Have an idea?** [Start a discussion](https://github.com/agentrhq/authsome/discussions/new?category=ideas)
- **Want to contribute?** Read [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, testing, and the engineering principles we follow.
## Links
- **Website:** [authsome.ai](https://authsome.ai)
- **Docs:** [authsome.ai/docs](https://authsome.ai/docs)
- **Discord:** [discord.gg/9YP2C9tvMp](https://discord.gg/9YP2C9tvMp)
- **Issues:** [github.com/agentrhq/authsome/issues](https://github.com/agentrhq/authsome/issues)
## Star History
## License
MIT. See [LICENSE](LICENSE).